Information Security – A Collective Responsibility

Information Security - Collective Responsibility
Security breaches have turned to be regular news headlines. And these breaches occur everywhere, from small to big company, and in every industry, from retail to IT.

The threat posed by cyber criminals to critical IT infrastructure and business interest is a dangerous reality of today. It is further worsened by the fact that many businesses operate in different geographical locations. The applications and systems are accessed from multiple devices making businesses more susceptible to cyber threat than ever before. This has made cyber security a critical board room priority now.

The dual security challenges for organizations:

Nobody wants their business to get hit due to security compromise, and many companies are charting out strategies to deal with increasing cyber threats.

However, as companies expand their business presence, it is becoming increasingly complicated to come up with a uniform security framework that works seamlessly spanning across all latitudes and longitudes.

The reason behind this is very simple, different countries have different security obligations and regulatory compliance that companies must adhere to. For example, HIPAA in the US for health care providers and MiFID in the EU for financial services. So security management has double obligations both on regulatory and technology front.
On one hand, organizations have to tighten their security measures and on the other hand, they are bind to legal obligations. How can organizations handle this twofold menace?

Security has to become a part of organizational culture & collective responsibility:

Information technology has touched virtually every enterprise in the world. Hence, fostering data security for business assurance is indispensable.

Security is a shared responsibility. Be it, employees, business partners, or stakeholders, personnel with access to sensitive data should not view security as an unwelcome cost of doing business. Rather, awareness about threats and vulnerabilities should be on top of the mind even for casual technology users in an organization.

Even a minor security lapse can result in serious security risks that have the capability to jeopardize business operations and result in serious loss. Organizations can prevent this by following these 3 steps:

  • A thorough vulnerability assessment of people, processes, and systems must be conducted, scoped, and reviewed with the assistance of security experts.
  • When designing new systems, launching new business applications, or upgrading existing systems & applications, training must be conducted for employees.
  • Lawyers and other relevant experts must be consulted while foraying into new markets and ensure that all legal and compliance issues are examined critically.

Organizations must realize that while security laws remain static for some time, technology is a dynamic agent. It keeps changing fast, and changing technology brings new types of threats undoubtedly.

So while laws on information security might not get updated with technological changes, companies must look beyond their legal requirements and take a robust security stance.

The way forward:

The threat posed by cyber criminals to critical business infrastructure must be taken seriously. Companies must maintain effective security frameworks, monitor unwanted and abnormal activities, and conduct security review of all the systems, applications and networks frequently.

Organizations must implement industry best practices without fail in order to reduce cyber risks. Security must be ingrained as a part of company culture; every employee must understand and work with the feeling that security is a collective responsibility.